Monthly Archives: April 2011

FAQ
View all answers
Q. What is Forefront Endpoint Protection 2010?
A.Forefront Endpoint Protection 2010, the next version for Forefront Client Security, simplifies and improves endpoint protection while greatly reducing infrastructure costs. It builds on System Center Configuration Manager 2007 R2 and R3, allowing customers to use their existing client management infrastructure to deploy and manage endpoint protection. This shared infrastructure lowers ownership costs while providing improved visibility and control over endpoint management and security. Forefront Endpoint Protection 2010 provides proven, highly accurate detection of known and unknown threats.
Q. How can I download the Forefront Endpoint Protection 2010 trial software?
A.You can download the trial here.
Q. What new features are included in Forefront Endpoint Protection 2010?
A.Some of the new features in Forefront Endpoint Protection 2010 include:
• Integration with System Center Configuration Manager. Single interface for managing and securing endpoints reduces complexity and improves troubleshooting and reporting insights.
• New Antivirus Engine. Highly accurate and efficient threat detection protects against the latest malware and rootkits with low false positive rate.
• New behavioral threat detection. Protection against “unknown” or “zero day” threats provided through behavior monitoring, emulation, and dynamic translation.
• Windows Firewall management. Ensures Windows Firewall is active and working properly on all endpoints, and allows administrators to more easily manage firewall protections across the enterprise.
Q. How is Forefront Endpoint Protection 2010 managed?
A.Forefront Endpoint Protection 2010 is built on System Center Configuration Manager 2007. Customers use Configuration Manager 2007 R2 or R3 to deploy, configure, monitor, and report on Forefront Endpoint Protection 2010.
For managing server operating system protection, organizations can also use the Forefront Endpoint Protection Security Management Pack, which provides real-time monitoring using System Center Operations Manager.
Q. What version of System Center Configuration Manager does Forefront Endpoint Protection 2010 support?
A.Forefront Endpoint Protection 2010 works with System Center Configuration Manager 2007 R2 and R3.
Q. Which operating systems does Forefront Endpoint Protection support?
A.Forefront Endpoint Protection 2010 protects Windows XP, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008. Please refer to the system requirements for more details.
Q. Will there be tools for upgrading from Forefront Client Security to Forefront Endpoint 2010?
A.Yes. Microsoft plans to provide tools to help companies migrate users from Forefront Client Security to Forefront Endpoint Protection 2010.
Q. Which languages is Forefront Endpoint Protection 2010 available in?
A.Forefront Endpoint Protection 2010 is available in English, German, Japanese, Chinese (Simplified), Chinese (Traditional), French, Italian, Korean, and Spanish.
Q. How much does Forefront Endpoint Protection 2010 cost? What licenses do I need to purchase?
A.You can find out more on Forefront Endpoint Protection 2010 pricing and licensing on the Pricing and Licensing page.
Q. What is the difference between Forefront Endpoint Protection and Microsoft Security Essentials?
A.For consumers and very small businesses needing protection from malicious software including spyware, viruses, trojans and rootkits, Microsoft Security Essentials is a no-cost, high-quality anti-malware service that efficiently addresses the ongoing security needs of a genuine Windows-based PC. Forefront Endpoint Protection 2010 provides endpoint protection for business environments, including antimalware and additional protections like behavior monitoring and firewall management. Forefront Endpoint Protection 2010 also includes central deployment, configuration, and reporting features needed for ensuring protection is maintained across the enterprise.

Pricing and Licensing
Licensing
Forefront Endpoint Protection 2010 is available as a per-user or per-device subscription through Microsoft Volume Licensing. The subscription includes all antimalware updates and product upgrades during the license period.
• Client operating systems can be licensed with a User Subscription License (USL) or Device Subscription License (DSL).
• Server operating systems must be licensed with a Device Subscription License (DSL).
Microsoft System Center Configuration Manager 2007 R2 or R3 serves as the management infrastructure for Forefront Endpoint Protection 2010. For customers who want to centrally manage Forefront Endpoint Protection, valid System Center Configuration Manager 2007 licenses are required.
In addition to being offered as a stand-alone product, Forefront Endpoint Protection 2010 can be purchased as part of the Core CAL Suite or Forefront Protection Suite.
Pricing
The estimated annual subscription price for an organization with at least five users is listed below. Additional discounts are provided through Microsoft Volume Licensing.
Product Estimated Prices Description
Microsoft Forefront Endpoint Protection 2010 $10.20 US per user or per device, per year Forefront Endpoint Protection 2010 provides antimalware protection for desktop and server operating systems. It is built on System Center Configuration Manager, giving customers a single infrastructure for managing and securing endpoints.

The management infrastructure of Forefront Endpoint Protection (FEP) is built on the System Center family of products, while the management infrastructure of Forefront Client Security (FCS) runs on a customized version of Microsoft Operations Manager 2005.
Because the management infrastructure on which these programs run is different, you cannot directly upgrade from FCS to FEP. In order to migrate from FCS to FEP, you must perform the following steps:
1. In the FCS console, document the settings for each policy you want to preserve for FEP.
2. In WSUS, unapprove all of the FCS client installation packages. These packages are listed as follows:
• Classification: Updates
• Product: Forefront Client Security
The updates have names in the following format:

Client Update for Microsoft Forefront Client Security (1.0.xxxx.0)

where xxxx is the specific build number for each package. You must unapprove all of the updates.
Caution:
You should not uninstall the FCS client software. Doing so would leave your client computers unprotected. When you deploy the FEP client software, the FEP client software uninstalls the FCS client software for you.
3. Install a new FEP installation on a System Center Configuration Manager server. For steps explaining how to do this, see FEP 2010.
4. Create FEP policies that contain the settings that you want to continue to enforce on your client computers. For more information about FEP policies, see Configuring Client Settings by Using Policies.
5. Deploy the FEP client software to the computers in your organization that are running the FCS client software. For steps on how to deploy the FEP client software, see FEP 2010.

The FEP client software uninstalls the FCS client software before installing. For more information, see FEP 2010.
Important:
The uninstall of the FCS client software also uninstalls the Microsoft Operations Manager 2005 agent.
6. After you confirm that all computers running the FCS client software are successfully running the FEP client software, you should undeploy the FCS policies. In the FCS console, undeploy the policy you created to install the FCS client software. For more information about monitoring FEP client software deployment, see Validating Deployment. For more information about undeploying FCS policies, see Removing an existing installation of Client Security (http://go.microsoft.com/fwlink/?LinkId=206850).
Important:
If you uninstall the FCS management infrastructure (the management, collection, collection database, reporting, and reporting database roles), the data stored in the reporting database is no longer accessible.
In order to preserve the historical reporting information stored in the FCS reporting database, you should not uninstall your FCS management infrastructure until you no longer need this data.

Like this:

You receive an “Error 1606” error message when you try to install or remove a Microsoft program
View products that this article applies to.

Courtsey link http://support.microsoft.com/kb/886549
Expand all | Collapse all
SYMPTOMSWhen you try to install or remove any one of the products listed in the “Applies…When you try to install or remove any one of the products listed in the “Applies To” section, you may receive an error message that resembles the following:
Error 1606: Could Not Access Network Location
Back to the top
CAUSEThis issue may occur if there is an incorrect setting in one of the following re…This issue may occur if there is an incorrect setting in one of the following registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

To have us fix this problem for you, go to the “Fix it for me” section. To fix this problem yourself, go to the “Let me fix it myself” section.

Note This Fix it package can automatically recover all the registry entries that are listed in the following tables.
Back to the top
Fix it for meTo fix this problem automatically, click the Fix it button or link. Click Run in…To fix this problem automatically, click the Fix it button or link. Click Run in the File Download dialog box, and then follow the steps in the Fix it wizard.

Fix this problem
Microsoft Fix it 50356

Notes
This wizard may be in English only; however, the automatic fix also works for other language versions of Windows.
If you are not on the computer that has the problem, save the Fix it solution to a flash drive or a CD and then run it on the computer that has the problem.
Back to the top
Let me fix it myselfImportant This section, method, or task contains steps that tell you how to modi…Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows

To resolve this issue yourself, follow these steps:
Click Start, click Run, type Regedit.exe, and then click OK.
Locate and then click the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
In the right pane, verify that the values are the same as the values in the following table. If each value matches the table, go to step 7.
For Windows XP and for Windows Server 2003Collapse this tableExpand this tableValue name Type Value data

For Windows Vista, Windows 7 and Windows Server 2008

If any Name, Type, or Value does not match the table in step 3, right-click the Value name, and then click Delete.
In the left pane, right-click User Shell Folders, point to New, click Expandable String Value, type the Name value that you want from the table in step 3, and then press ENTER.
Right-click the value that you created in step 5, click Modify, type the value in the Value data box for the Value name, and then click OK.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
In the right pane, verify that the values are the same as the values in the following table. If each value matches the table, go to step 12.
For Windows XP and for Windows Server 2003

If any Name, Type, or Value does not match the table in step 8, right-click the Value name, and then click Delete.
In the left pane, right-click User Shell Folders, point to New, click Expandable String Value, type the Name value that you want from the table in step 8, and then press ENTER.
Right-click the value that you created in step 10, click Modify, type the value in the Value data box for the Value name, and then click OK.
Exit Registry Editor, and then restart the computer.
Back to the top
Note This is a “FAST PUBLISH” article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use (http://go.microsoft.com/fwlink/?LinkId=151500) for other considerations.

Open a run window (Windows key+R), type slmgr.vbs -dli and press Enter to display the licence information.

To release the product key for use elsewhere, use slmgr.vbs -upk. However, if you have a problem with the UPK option, look at this Vista page http://support.microsoft.com/kb/947241If that does not, just reinstall the Windows XP license that was previously on the machine. You will need to reactivate Windows 7 Ultimate by telephone on the new machine.

To backup your personal files and settings, use Windows Easy Transfer. Windows 7’s System Image capability backs up the entire computer. You also have the option of creating a System Image of the current Windows 7 Ultimate installation and just restore it on the new computer running Windows 7 Home Premium. But, I would recommend when you get the new computer that has Windows 7 Home Premium that you do a Windows Anytime Upgrade instead.

After you run the “slmgr.vbs –upk” command on a Windows Vista-based computer, you cannot see the licensing information, and the Windows Vista activation status is lost
View products that this article applies to.
System Tip
This article applies to a different version of Windows than the one you are using. Content in this article may not be relevant to you.Visit the Windows 7 Solution Center

On This PageSYMPTOMS
CAUSE
RESOLUTION
STATUS
MORE INFORMATION
Steps to reproduce the problem
Expand all | Collapse all
SYMPTOMSAfter you run the slmgr.vbs –upk command on a Windows Vista-based computer, you…After you run the slmgr.vbs –upk command on a Windows Vista-based computer, you cannot see the licensing information as expected. Additionally, the Windows Vista activation status is lost.

For example, after you run the slmgr.vbs –upk command, you may decide to run the slmgr.vbs – dli command or the slmgr.vbs – dlv command to display the Windows Vista licensing information. However, no result is returned in this situation. Additionally, you may receive the following error message when you check the Windows activation information:

This copy of Windows is not activated. Click here to activate Windows now.
Finally, when you restart the computer, you may be prompted to insert a product key. In this situation, Windows Vista may enter reduced functionality mode.
Back to the top
CAUSEThis problem occurs because the slmgr.vbs –upk command clears all product keys t…This problem occurs because the slmgr.vbs –upk command clears all product keys that are present on the computer. For example, these may include the Multiple Activation Key (MAK) and the Key Management Service (KMS) key.
Back to the top
RESOLUTIONTo resolve this problem, use one of the following methods.Method 1 In the Start…To resolve this problem, use one of the following methods.

Method 1
In the Start Search box, type command prompt, right-click Command Prompt, and then click Run as administrator.
In the Administrator: Command Prompt window, type a command that resembles the following, and then press ENTER:
cscript c:\windows\system32\slmgr.vbs -ipk {ProductKey}
Note If your organization uses a KMS key instead of a MAK key, use the generic KMS key that is provided in the Pid.txt file. This file is located in the \sources folder on the Windows Vista installation DVD.
Type a command that resembles the following, and then press ENTER:
cscript c:\windows\system32\slmgr.vbs -ato
Method 2
Click the error message that is mentioned in the “Symptoms” section.
Type the product key, and then follow the instructions to activate the product key.
Method 3
Restart the computer.
Log on to the computer. The Windows Activation window will appear.
Type the product key, and then follow the instructions to activate the product key.
Back to the top
STATUSThis behavior is by design.This behavior is by design.
Back to the top
MORE INFORMATIONSteps to reproduce the problem In the Start Search box, type command prompt, rig…Steps to reproduce the problem
In the Start Search box, type command prompt, right-click Command Prompt, and then click Run as administrator.
In the Administrator: Command Prompt window, type a command that resembles the following, and then press ENTER:
cscript c:\windows\system32\slmgr.vbs -upk
Type a command that resembles the following, and then press ENTER:
cscript c:\windows\system32\slmgr.vbs -dli
The script generates the following text:
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

However, if you do not use the slmgr.vbs –upk command, the slmgr.vbs -dli command generates text that resembles the following:
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

http://exchangeserverpro.com/how-to-install-updates-on-exchange-server-2010-database-availability-groupshttp://www.facebook.com/note.php?note_id=441465534162http://www.exchange-genie.com/2009/04/database-availability-group-dag-exchange-2010/
An Exchange Server 2010 Database Availability Group (DAG) provides several benefits to an organization, primarily that of continuous availability of mailbox databases.
To update the DAG members with new patches, update rollups or service packs, the update process should be managed to prevent all of the DAG members from being offline at the same time.
To do this you can move the active mailbox databases off a particular server so that it can be patched, and if necessary rebooted, without causing any downtime for mailbox users on that database.
This tutorial demonstrates how to update the servers in an Exchange Server 2010 Database Availability Group without causing the mailbox databases to go offline. For this tutorial Update Rollup 4 for Exchange Server 2010 is being installed.
Preparing a DAG Member for Updates
The first step is to move active mailbox databases to another DAG member so that the server can be updated.
To see a list of mailbox databases and their current active server use the Get-MailboxDatabase cmdlet.
[PS] C:\>Get-MailboxDatabase

Name Server Recovery ReplicationType
—- —— ——– —————
Mailbox Database 02 EX1 False Remote
Mailbox Database 01 EX2 False Remote
In this example I want to apply updates to server EX1, and I can see that it currently hosts the active copy of Mailbox Database 02.
If your environment has a lot of DAG members and mailbox databases you can refine this query to only show active mailbox databases for a specific server.
[PS] C:\>Get-MailboxDatabase | where {$_.Server -eq “EX1”}

Confirm
Are you sure you want to perform this action?
Moving mailbox database “Mailbox Database 02” from server “ex1.exchangeserverpro.local” to server
“EX2.exchangeserverpro.local”.
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is “Y”): y

Name Server Recovery ReplicationType
—- —— ——– —————
Mailbox Database 02 EX2 False Remote
Mailbox Database 01 EX2 False Remote
As another example, if there were multiple databases active on a server you can move all of them with a single command.
[PS] C:\>Get-MailboxDatabase | where {$_.Server -eq “EX1”} | Move-ActiveMailboxDatabase -ActivateOnServer EX2 -Confirm:$false

Identity ActiveServerAtS ActiveServerAtE Status NumberOfLogsLost RecoveryPoint MountStatus MountStatus
tart nd Objective AtMoveStart AtMoveEnd
——– ————— ————— —— —————- ————- ———– ———–
Mailbox Data… ex1 ex2 Succeeded 0 14/09/2010… Mounted Mounted
Mailbox Data… ex1 ex2 Succeeded 0 14/09/2010… Mounted Mountede
Note the use of -Confirm:$false to avoid having to confirm each move. Use this option with caution.
After moving all active mailbox databases off the server that you are planning to update, the final preparation step is to block activation on the server to prevent it from automatically reactiving a database copy while you are performing maintenance.
First check the current activation policy on the server using Get-MailboxServer.
[PS] C:\>Get-MailboxServer EX1 | fl Name,DatabaseCopyAutoActivationPolicy

Name : EX1
DatabaseCopyAutoActivationPolicy : Unrestricted
Next, use Set-MailboxServer to block activation.
[PS] C:\>Set-MailboxServer EX1 -DatabaseCopyAutoActivationPolicy Blocked
Stop Conflicting Services
If the mailbox server is running any Exchange-integrated services, such as antivirus software, these should be disabled prior to the update.
For example to disable Forefront use the FSUtility command.
C:\> fsutility /disable
Another example is Data Protection Manager 2010, which may be configured to perform Copy backups from passive database copies at frequent intervals through the day. Make sure these jobs are paused to prevent errors or conflicts from occuring.
Disable Monitoring
If the DAG members are monitored using SCOM or a similar system then this should also be disabled or placed into maintenance mode.
This will prevent alarms from being raised as well as prevent any automatic remediation actions from being run by the monitoring agent that may cause the server updates to fail.
Updating the Server
Install the update following the deployment notes for that update type.
Update rollups come in the form of a .MSP file (Windows Installer Patch) that is applied to the server. Simply double-click the file or launch it from a command line window.
Service packs are a complete reissue of the Exchange Server setup files and are installed by running setup in upgrade mode, which can be run in either graphical or command line mode.
C:\> setup /m:upgrade
Both update rollups and service packs can take some time to install, so plan a large window of time for these updates.

Verifying the Update
After the update has completed, and if necessary the server rebooted, you should check the server’s health before placing it back into production in the CAS array.
Event Logs – look for error or warning events that have started since the update was applied.
Setup Logs – service packs write a complete setup log file to C:\ExchangeSetupLogs
Services – check the Exchange services are running (or at least those that you expect to be running, some such as IMAP and POP will be stopped if you have not explicitly enabled them)
[PS] C:\>Get-Service *exchange*

Status Name DisplayName
—— —- ———–
Running MSExchangeADTop… Microsoft Exchange Active Directory…
Running MSExchangeIS Microsoft Exchange Information Store
Running MSExchangeMailb… Microsoft Exchange Mailbox Assistants
Running MSExchangeMailS… Microsoft Exchange Mail Submission
Stopped MSExchangeMonit… Microsoft Exchange Monitoring
Running MSExchangeRepl Microsoft Exchange Replication
Running MSExchangeRPC Microsoft Exchange RPC Client Access
Running MSExchangeSA Microsoft Exchange System Attendant
Running MSExchangeSearch Microsoft Exchange Search Indexer
Running MSExchangeServi… Microsoft Exchange Service Host
Running MSExchangeThrot… Microsoft Exchange Throttling
Running MSExchangeTrans… Microsoft Exchange Transport Log Se…
Running msftesql-Exchange Microsoft Search (Exchange)
Running vmickvpexchange Hyper-V Data Exchange Service
Stopped wsbexchange Microsoft Exchange Server Extension…
Returning the Server to Production
If the update was successful and the server healthy then it can be placed back into production.
Re-enable services such as Forefront Protection for Exchange.
C:\> fsutility /enable
Re-enable monitoring agents and alarms for the server.
Set the server’s activation policy back to its original setting.
[PS] C:\>Set-MailboxServer EX1 -DatabaseCopyAutoActivationPolicy Unrestricted
At this stage you might move all of the active mailbox databases to the server that was just updated so that you can update the other servers in the DAG. After all of the DAG members have been updated it is likely that mailbox databases will be active on servers that are not their first activation preference.
For Exchange Server 2010 RTM you can view the activation preferences for each database, and manually move active mailbox databases to their preferred server.
[PS] C:\>Get-MailboxDatabase | fl name,activationpreference

Confirm
Are you sure you want to perform this action?
Moving mailbox database “Mailbox Database 01” from server “EX2.exchangeserverpro.local” to server
“ex1.exchangeserverpro.local”.
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is “Y”): y